Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 252567 (CVE-2008-5514)

Summary: net-libs/c-client <2007e: Denial of Service (CVE-2008-5514)
Product: Gentoo Security Reporter: Matti Bickel (RETIRED) <mabi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: wrobel
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=477227
Whiteboard: C3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 255121    

Description Matti Bickel (RETIRED) gentoo-dev 2008-12-26 08:46:52 UTC 
From redhat:

"Ludwig Nussel reported a flaw in libc-client / uw-imap:

The rfc822_output_char() function in the uw-imap c-client library does not
check whether the buffer is already full and may therefore write one byte too
much. This leads to a segfault in rfc822_output_data() later due to memcpy with
size -1.

Issue was fixed in imap-2007e:
  Updated: 16 December 2008

  imap-2007e is a maintenance release, consisting primarily of bugfixes to
  problems discovered in the release that affected a small number of users
  plus a security fix for users of the RFC822BUFFER routines."
Comment 1 Matti Bickel (RETIRED) gentoo-dev 2008-12-26 08:49:07 UTC 
gunnar, can you please provide an updated ebuild?
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2008-12-28 19:59:43 UTC 
net-libs/c-client-2007e is in the tree.

Targets:

  alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
Comment 3 Brent Baude (RETIRED) gentoo-dev 2008-12-29 13:58:31 UTC 
ppc64 done
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-29 18:23:13 UTC 
ppc stable
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-29 21:03:16 UTC 
amd64 stable
Comment 6 Friedrich Oslage (RETIRED) gentoo-dev 2008-12-30 20:39:34 UTC 
sparc stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2009-01-03 02:28:41 UTC 
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2009-01-03 20:57:36 UTC 
x86 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-01-07 18:47:25 UTC 
alpha/ia64 stable
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-11 19:07:23 UTC 
time for vote. Since it can be used on servers too, i vote yes.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-01-13 17:17:08 UTC 
YES, filed.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 21:26:27 UTC 
CVE-2009-0671 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0671):
  Format string vulnerability in the University of Washington (UW)
  c-client library, as used by the UW IMAP toolkit imap-2007d and other
  applications, allows remote attackers to execute arbitrary code via
  format string specifiers in the initial request to the IMAP port
  (143/tcp).
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 21:27:09 UTC 
I think it fits, so let's handle that one in the glsa, too.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-02-24 10:06:00 UTC 
Craig, you can't simply add CVEs that require [ebuild] status to a [glsa] bug.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-25 18:30:36 UTC 
Whoops, sorry, I thought it might be ok, because of the affected versions, but well, I failed a bit.  :/
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2009-03-30 16:02:37 UTC 
arm/s390/sh stable
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2009-11-25 16:11:09 UTC 
245425
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2009-11-25 16:11:22 UTC 
eehh.. GLSA 200911-03